Analysis
-
max time kernel
36s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
14-06-2024 04:40
General
-
Target
d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5.exe
-
Size
343KB
-
MD5
db610ee561ee75545d06dd08f90f59f0
-
SHA1
38473820167d560e67aec2ad118fb1eefdf7e1ed
-
SHA256
d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5
-
SHA512
3e5f960648e321cf24bfc54727c4c13fbad09f41c20fdd7dfeb915b03f6c3c6415a0982924483285f401c1e511ebdf2a5fbd6adee6ba7e72a9c42b64f47cdb11
-
SSDEEP
6144:2qHGoq/TMMFIgLYW6E5vmCT/jBqxDi4d/5WyQYEx:24dNMFIkP5vB/j2Di4dxWtx
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 13 IoCs
-
UPX dump on OEP (original entry point) 21 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5.exe"C:\Users\Admin\AppData\Local\Temp\d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5mgr.exeC:\Users\Admin\AppData\Local\Temp\d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5mgr.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 923⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
185KB
MD5bd2049dd8ba43ff9c3847677ce3837ac
SHA1b8ec29e4b97526c3fad079f11fce3fbc9ecf8af4
SHA256a30742fb31394e6cd941b1dbe896b403b9550002add121b22edc2f466e173c47
SHA512af37d85afc8c0cafb2452686297375258d80324d2d651a06e203c645c0146d8c2153e780f2278d0f6e128fd6cc2a33e94869a3002db1be7ccb19dc8bbc170c61
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
350KB
MD5b6eeb14453cc0fc52853866974f3d2d4
SHA12b9f9d504e0f070b6a94d6f7bd9a3609131112e6
SHA256547334d412752b342ea29361d12e7621b64033ee476625210fdfbac5db4b0103
SHA51210b9b8d1fb508661bc79bd7fc27fa33d2562ebdacbe340e7e4761e22dabdf9c055f1f9b8812536848a9a8267be2e27a039c86e7c65c79422bf12c2a65adef328
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
346KB
MD564bc2ddc157a029ee4452275403dd17f
SHA15c37069482091a29ec9d875ab06abbe7b3c265c7
SHA2560856b4f2ad6106bd468430506010e9d8cfae6c49c517fa3e9224dba38cabe7f7
SHA512095f35eadf52978c90ec91db7ea3bcca0e0e864de1a757859ad59b273d52ffe5e78185de13c9a3b104838e87ed0d42b723b0e13db38c1e2f7b7c70cb2b71ca3c
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54900340783bace7192804913810d218d
SHA123794a19a127ca76b17cb087d35cfe792cefcb9b
SHA25615a2b52f676e7f80fda0d448674b28a8cbd802f75df06452819d4d142e646fb2
SHA51262ce6fea54fe054a850fb3ec5d2e10bfc988ccc94fe893cddc95292f55f37b7e0298feb007adc14a5d775eee1b12feb3659e2856aa4f096f8ce98e40cec9e9b2
-
C:\uojga.exeFilesize
100KB
MD52ee8a5e3848af98f5a83c494e0cc5c7e
SHA13deab7f334eafc454b1b90429b219ddfaee55397
SHA256e81bd6558f1cfa4e8c3dc4db9c1a4315d264cc777d57336d11ed922f02ec64a0
SHA51214fe6ea82223345b8670598d3e011a9f6d23cb661e30236f952dbb6a11e2b6f5d071a91d090d807aed83564eb7fbe17a531a38b5b226013f859e9cc09741f6a7
-
\Users\Admin\AppData\Local\Temp\d8a5a5ae00005e3da9f58b5c36e78d5ee974a8f0308b05adf3b63fbb86c0dae5mgr.exeFilesize
168KB
MD5c81960aefb3afc22deb400ff7f46e055
SHA10df9c9d0bd90f155562d23b725594f928bf25d34
SHA25659cf806b4dfddb829196278a1d2e18f7956d2fd1ac6f54d460a11d2441ad9eba
SHA512dd86ca45cb086beb9775f1377cb94b0444d4b4d173804c5e1868ab8224e206620737c67e838544e6134f52fad6c2eb6acf2ddf333a26cf3228710ec88b64764d
-
memory/352-82-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/352-1176-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/352-85-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/352-116-0x0000000002430000-0x0000000002490000-memory.dmpFilesize
384KB
-
memory/352-87-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/1112-53-0x0000000000420000-0x0000000000422000-memory.dmpFilesize
8KB
-
memory/1428-90-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1428-106-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1428-107-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1428-99-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1428-105-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1428-104-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1428-1180-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2116-47-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-78-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2116-48-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-41-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-83-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/2116-88-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/2116-719-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-80-0x000000007735F000-0x0000000077360000-memory.dmpFilesize
4KB
-
memory/2116-79-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2116-35-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-77-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-76-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/2116-103-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/2116-696-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-44-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-49-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-46-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-42-0x00000000024F0000-0x000000000357E000-memory.dmpFilesize
16.6MB
-
memory/2116-34-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-718-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2268-63-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2268-0-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2268-9-0x00000000001B0000-0x00000000001E4000-memory.dmpFilesize
208KB
-
memory/2268-84-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2268-3-0x00000000001B0000-0x00000000001E4000-memory.dmpFilesize
208KB
-
memory/2268-64-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2268-81-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2268-86-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2940-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-448-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/2940-29-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/2940-32-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/2940-31-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/2940-12-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-16-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2940-30-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2940-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB